SpecVibe

Security checks across malware telemetry and agentic risk

Overview

SpecVibe appears to be a disclosed software-development guidance skill, with no evidence of hidden execution, credential theft, persistence, or destructive behavior.

Reasonable to install for general software planning and implementation help. Review generated architecture, authentication, secrets handling, infrastructure, and deployment changes before using them, especially for regulated, production, or high-impact systems.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: This OpenAPI template declares `components` twice, which is invalid/ambiguous in YAML/OpenAPI processing and can cause the later block to overwrite the earlier one. As a result, reusable error responses may be silently dropped while the global `security` section still references `BearerAuth`, leading generated specs, tooling, or downstream implementations to have broken or inconsistent authentication and error-handling behavior.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The manifest description says to use this skill for 'any new project,' which gives it an extremely broad invocation scope. In an agent ecosystem, such catch-all wording can cause the skill to be selected in unrelated contexts, unnecessarily exposing users and projects to generic code-generation, deployment, and security guidance that may be inappropriate or over-privileged for the task at hand.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal